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Abstract 

The Maude-NRL Protocol Analyzer (Maude-NPA) is a tool and inference sys- 
tem for reasoning about the security of cryptographic protocols in which the 
cryptosystems satisfy different equational properties. It both extends and pro- 
vides a formal framework for the original NRL Protocol Analyzer, which sup- 
ported equational reasoning in a more limited way. Maude-NPA supports a 
wide variety of algebraic properties that includes many crypto-systems of inter- 
est such as, for example, one-time pads and Difhe-Hellman. Maude-NPA, like 
the original NPA, looks for attacks by searching backwards from an insecure 
attack state, and assumes an unbounded number of sessions. Because of the 
unbounded number of sessions and the support for different equational theo- 
ries, it is necessary to develop ways of reducing the search space and avoiding 
infinite search paths. In order for the techniques to prove useful, they need not 
only to speed up the search, but should not violate completeness, so that failure 
to find attacks still guarantees security. In this paper we describe some state 
space reduction techniques that we have implemented in Maude-NPA. We also 
provide completeness proofs, and experimental evaluations of their effect on the 
performance of Maude-NPA. 



1. Introduction 

The Maude-NPA T is a tool and inference system for reasoning about 
the security of cryptographic protocols in which the cryptosystems satisfy differ- 
ent equational properties. The tool handles searches in the unbounded session 
model, and thus can be used to provide proofs of security as well as to search for 
attacks. It is the next generation of the NRL Protocol Analyzer [1^], a tool that 
supported limited equational reasoning and was successfully applied to the anal- 
ysis of many different protocols. In Maude-NPA we improve on the original NPA 
in three ways. First of all, unlike NPA, which required considerable interaction 
with the user, Maude-NPA is completely automated (see [7j). Secondly, its infer- 
ence system has a formal basis in terms of rewriting logic and narrowing, which 
allows us to provide proofs of soundness and completeness (see [4 ). Finally, 
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the tool's inference system supports reasoning modulo the algebraic properties 
of cryptographic and other functions (see [51IS1IIH])- Such algebraic properties 
are expressed as equational theories E = E' ktl Ax whose equations E' arc con- 
fluent, coherent, and terminating rewrite rules modulo equational axioms Ax 
such as commutativity (C), associativity-commutativity (AC), or associativity- 
commutativity plus identity {ACU) of some function symbols. The Maude-NPA 
has then both dedicated and generic methods for solving unification problems 
in such theories E = E' \±l Ax [lOl [TTJ [12] , which under appropriate checkable 
conditions [9] yield finitary unification algorithms. 

Since Maude-NPA allows reasoning in the unbounded session model, and 
because it allows reasoning about different equational theories (which typically 
generate many more solutions to unification problems than syntactic unifica- 
tion, leading to bigger state spaces), it is necessary to find ways of pruning the 
search space in order to prevent infinite or overwhelmingly large search spaces. 
One technique for preventing infinite searches is the generation of formal gram- 
mars describing terms unreachable by the intruder (see [Hill] and Section 4.1). 
However, grammars do not prune out all infinite searches, since unbounded ses- 
sion security is undecidable, and there is a need for other techniques. Moreover, 
even when a search space is finite it may still be necessary to reduce it to a 
manageable size, and state space reduction techniques for doing that will be 
necessary. In this paper we describe some of the major state space reduction 
techniques that we have implemented in Maude-NPA, and provide completeness 
proofs and experimental evaluations demonstrating an average state-space size 
reduction of 99% (i.e., the average size of the reduced state space is 1% of that of 
the original one) in the examples we have evaluated. Furthermore, we show our 
combined techniques effective in obtaining a finite state space for all protocols 
in our experiments. 

The optimizations we describe in this paper were designed specifically for 
Maude-NPA, and work within the context of Maude-NPA search techniques. 
However, although different tools use different models and search algorithms, 
they all have a commonality in their syntax and semantics that means that, 
with some adaptations, optimization techniques developed for one tool or type 
of tools can be applied to different tools as well. Indeed, we have already seen 
such common techniques arise, for example the technique of giving priority to 
input or output messages respectively when backwards or forwards search is used 
(used by us and by Shmatikov and Stern in [20]) and the use of the lazy intruder 
(used by us and, in a different form, by the On-the-Fly Model Checker [1]). One 
of our motivations of publishing our work on optimizations is to encourage the 
further interaction and adaptation of the techniques for use in different tools. 

The rest of the paper is organized as follows. After some preliminaries in 
Section|2] we describe in Section[3]the model of computation used by the Maude- 
NPA. In Section|4] we describe the various state space reduction techniques that 
have been introduced to control state explosion, and give proofs of their com- 
pleteness as well as showing their relations to other optimization techniques in 
the literature. We first briefly describe how automatically generated grammars 
provide the main reduction that cuts down the search space. Then, we describe 
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how we obtain a second important state-space reduction by reducing the num- 
ber of logical variables present in a state. The additional state space reduction 
techniques presented in this paper are: (i) giving priority to input messages 
in strands, (ii) early detection of inconsistent states (that will never reach an 
initial state), (iii) a relation of transition subsumption (to discard transitions 
and states already being processed in another part of the search space), and 
(iv) the super-lazy intruder (to delay the generation of substitution instances 
as much as possible). In Section [5] we describe our experimental evaluation of 
these state-space reduction techniques. In Section|6]we describe future work and 
conclude the paper. This is an extended and improved version of [5], including 
proofs of all the results, a refinement of the interaction between the transition 
subsumption and the super-lazy intruder (Section 4.7.2), more examples and 
explanations, as well as more benchmarked protocols. 



2. Background on Term Rewriting 

We follow the classical notation and terminology from 120] for term rewriting 
and from [16j J/7 for rewriting logic and order-sorted notions. We assume an 
order-sorted signature I] with a finite poset of sorts (S, <) and a finite number 
of function symbols. We assume an S-sorted family X — {Xs}seS of mutually 
disjoint variable sets with each countably infinite. T^iX)^ denotes the set 
of terms of sort s, and 7^ ^ the set of ground terms of sort s. We write T^{X) 
and 7^ for the corresponding term algebras. We write Var{t) for the set of 
variables present in a term t. The set of positions of a term t is written Pos{t), 
and the set of non-variable positions Pos^{t). The subterm of t at position p 
is t\p, and t[u\p is the result of replacing t\p by u in t. A substitution tr is a 
sort-preserving mapping from a finite subset of X, written 'Dom{a), to T^{X). 
The set of variables introduced by a is TZan(a). The identity substitution is 
id. Substitutions are homomorphically extended to 7^ {X) . The restriction 
of cr to a set of variables V is a\v- The composition of two substitutions is 
(a o e){X) = eia{X)) for X eX. 

A Ti-equation is an unoriented pair t = t' , where t € T^{X)^, t' G T^{X)^,, 
and s and s' are sorts in the same connected component of the poset (S, <). 
Given a set E of E-equations, order-sorted equational logic induces a congruence 
relation =_e on terms t, t' S T^{X) (see [17]). Throughout this paper we assume 
that 7^ 5 ^ for every sort s. We denote the i?-equivalence class of a term 
t G 7^ (A*) as [t]E and the i?-equivalence classes of aU terms T^{X) and T^{X)^ 
as Tj2/e{X) and T^^^{X)^, respectively. 

For a set E of E-equations, an E-unifier for a E-equation t — t' is a. substi- 
tution a s.t. a{t) =E <^{i')- A complete set of _E-unifiers of an equation t = t' 
is written CSUsit = t'). We say CSUE{t = t') is finitary if it contains a finite 
number of £'-unifiers. CSU{t = t') denotes a complete set of syntactic order- 
sorted unifiers between terms t and f , i.e., without any equational property. 

A rewrite rule is an oriented pair I — >■ r, where I ^ X and l,r G 7^('^)s 
for some sort s G S. An (unconditional) order-sorted rewrite theory is a triple 
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TZ ~ (E, E, R) with S an order-sorted signature, E a set of E-equations, and 
R a set of rewrite rules. A topmost rewrite theory (E, E, R) is a rewrite theory 
s.t. for each I ^ r e R, l,r £ '^('^)state fo'' * top sort State, r ^ X, and no 
operator in E has State as an argument sort. 

The rewriting relation -^r on T^{X) is t A-r t' (or -^r) if p S Pos^{t), 
/ — > r G i?, i|p = cr{l), and t' = t[a{r)]p for some a. The relation -^r/e 
on 7^(A') is =£;^.fl;=£;, i.e., t ->r/e s iff 3ui,-U2 e T^CA") s.t. t ui, 
Wi — >fl U2, and U2 =e s. Note that -^r/e on T^{X) induces a relation -^r/e 
on T^/e{X) by [t\E ^R/E [t']E iff t ^r,e t' . 

When TZ = (E, E, R) is a topmost rewrite theory, we can safely restrict 
ourselves to the general rewriting relation -^r^e on T^{X), where the rewriting 
relation -^r.e on T^{X) is t -^r^e t' (or -^r,e) if p G Poss(t), I ^ r £ R, 
t\p —E f(0: ^-iid t' = t[cr(r)]p for some a. Note that -^r.e on 7^(A') induces 
a relation ->_r,_b on 7^/£;(A') by [t\E -^r,e [t']E iff 3w G 7^(A') s.t. t ^-^.b w 
and w =£; t'. We say that a term t is i?, E -irreducible if there is no term i' such 
that t -^R^E t'] this is extended to substitutions in the obvious way. 

The narrowing relation ^r on T^{X) is t -^a-.R t' (or ^a.R^ ^r) if P G 
-Poss(i), I r e R, a e CSU{t\p = I), and t' = a{t[r]p). Assuming that 
E has a finitary and complete unification algorithm, the narrowing relation 

■^R.E on T^{X) is t -^a^R.E t' (or ■~-^cr,R,E, -^r.e) if p G Pos^{t), I r £ R, 
a G CSUE{t\p = /), and = cr{t[r]p). 

The use of topmost rewrite theories is entirely natural for communication 
protocols, since all state transitions can be viewed as changes of the global 
distributed state. It also provides several advantages (see [21]): (i) as pointed 
out above the relation -^r^e achieves the same effect as the relation -^r/e^ and 
(ii) we obtain a completeness result between narrowing {^r^e) and rewriting 
{-^r/e)- 

Theorem 1 (Topmost Completeness). "ST LetTZ — (E, S,i?) be a topmost 
rewrite theory, t,t' G T^{X), and let a be a substitution such that a(t) — ^ t' . 
Then, there are substitutions 9, r and a term t" such that t ^ ^ t" , ait) =e 
T{0{t)), andt' ^E T{t"). 

In this paper, we consider only equational theories E = E' ^ Ax such 
that the rewrite rules E' are confluent, coherent, and terminating modulo 
axioms Ax such as commutativity (C), associativity-commutativity {AC), or 
associativity-commutativity plus identity {ACU) of some function symbols. We 
also require axioms Ax to be regular, i.e., for each equation I = r G Ax, 
Var{l) = Var{r). Note that axioms such as commutativity (C), associativity- 
commutativity {AC), or associativity-commutativity plus identity {ACU) are 
regular. The Maude-NPA has then both dedicated and generic methods for 
solving unification problems in such theories E' l±) Ax [101 HH [H] . 
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3. Maude-NPA's Execution Model 



Given a protocol V , we first explain how its states are modeled algebraically. 
The key idea is to model protocol states as elements of an initial algebra Ts^/b^ , 
where E-p is the signature defining the sorts and function symbols for the 
cryptographic functions and for all the state constructor symbols, and E-p is 
a set of equations specifying the algebraic properties of the cryptographic func- 
tions and the state constructors. Therefore, a state is an i^p-equivalence class 
[t] € T^j,/Ej, with t a ground S-p-term. However, since the number of states 
T^-p/E-p is in general infinite, rather than exploring concrete protocol states 
[t] G Tj^p/E-p we explore symbolic state patterns [t{xi, . . . , Xn)] G T-^-p/E-pi^) on 
the free , E-p)-a\gehia over a set of variables X. In this way, a state pattern 
[t{xi, . . . , Xn)] represents not a single concrete state but a possibly infinite set 
of such states, namely all the instances of the pattern [t{xi, . . . , Xn)] where the 
variables xi, . . . ,Xn have been instantiated by concrete ground terms. 

In the Maude-NPA [11 [7] , a state in the protocol execution is a term t of sort 
State, t G T^p/Ep{^) State- A state is then a multiset built by an associative 
and commutative union operator _&_ with identity operator 0. Each element in 
the multiset is either a strand or the intruder's knowledge at that state, both 
explained below. 

A strand 13 represents the sequence of messages sent and received by a 
principal executing the protocol or by the intruder. A principal sending (resp. 
receiving) a message msg is represented by msg'^ (resp. msg~). We write 
to denote m+ or m~ , indistinctively. We often write +{m) and — (m) instead 
of m"*" and m~ , respectively. A strand is then a list [msgf , msg2 , insgf, 
. . . , ms5'^_j^, msg^] describing the sequence of send and receive actions of a 
principal role in a protocol, where each msgi is a term of a special sort Msg 
described below, i.e., msgi G T^p/Ep{^)Msg- In Maude-NPA, strands evolve 
over time as the send and receive actions take place, and thus we use the 
symbol | to divide past and future in a strand, i.e., [nil,msg^ , . . . ,msg^_^ \ 
msg^ ,msg^_^_^, . . . , msg^,nil] where msg^ , . . . , msg^_^ are the past messages, 
and msg^ ,msg^_^_^, . . . , msgf are the future messages {msg^ is the immediate 
future message). The nils are present so that the bar may be placed at the 
beginning or end of the strand if necessary. A strand [msg^ , . . . ,msg^] is a 
shorthand for [nil \ msgf , . . . ,msg^ ,nil]. We often remove the nils for clarity, 
except when there is nothing else between the vertical bar and the beginning or 
end of a strand. We write S-p for the set of strands in the specification of the 
protocol V, including the strands that describe the intruder's behavior. 

The intruder's knowledge is represented as a multiset of facts unioned to- 
gether with an associative and commutative union operator _ , _ with identity 
operator 0. There are two kinds of intruder facts: positive knowledge facts (the 
intruder knows message expression m, i.e., mGl), and negative knowledge facts 
(the intruder does not yet know m but will know it in a future state, i.e., m^X). 

Maude-NPA uses a special sort Msg of messages that allows the protocol 
specifier to describe other sorts as subsorts of the top sort Msg. The specifier 
can make use of another special sort Fresh in the protocol-specific signature S for 
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representing fresh unguessable values, e.g., nonces. The meaning of a variable of 
sort Fresh is that it will never be instantiated by an ii^-unifier generated during 
the protocol analysis. This ensures that if two nonces are represented using dif- 
ferent variables of sort Fresh, they will never be identified and no approximation 
for nonces is necessary. We make explicit the Fresh variables ri, . . . ,rk{k > 0) 
generated by a strand by writing :: n, . . . , rfc :: [msg^ , .. ., msg^], where each rj 
appears first in an output message msgj'. and can later be used in any input and 
output message of msg^,_^_j^, . . . ,msg^. Fresh variables generated by a strand 
are unique to that strand. 

Lot us introduce the well-known DifHe-Hellman protocol as a motivating 
example. 

Example 1. The Diffie-Hellman protocol uses exponentiation to share a secret 
between two parties, Alice and Bob. There is a public constant, denoted by 
g, which will be the base of the exponentiations. We represent the product of 
exponents by using the symbol *. Nonces are represented by Nx, denoting a 
nonce created by principal X. Raising message M to the power of exponent X 
is denoted by {M)^ . Encryption of message M using the key K is denoted by 
{M}k- The protocol description is as follows. 

1. B : {A ■ B ; g^^} 

Alice sends her name, Bob's name, and an exponentiation of a new nonce 
Na created by her to Bob. 

2. B^A:{A; B ; g^^} 

Bob sends his name, Alice 's name, and an exponentiation of a new nonce 
Nb created by him to Alice. 

3. A^ B : {secret} gN^^B 

Bob receives g^"^ and he raises it to the Nb to obtain the key g^^^'^ . 
He sends a secret to Alice encrypted using the key. Likewise, when Alice 
receives g^^ , she raises it to the N^, to obtain the key g'^^ . We assume 
that exponentiation satisfies the equation g^A^^ = gNA*NB ^^^^ that the 
product operation _*_ is associative and commutative, so that 

gNs^A = g'^A'^B ^ gNB*NA 

and therefore both Alice and Bob share the same key. 

In the Maude-NPA 's formalization of the protocol, we explicitly specify the 
signature E describing the sorts and operations for messages, nonces, etc. A 
nonce Na is denoted by n{A,r), where r is a unique variable of sort Fresh. 
Concatenation of two messages, e.g., Na and Nb, is denoted by the oper- 
ator e.g., n{A,r) ; n{B,r'). Encryption of a message M is denoted by 
e{A,M), e.g., {Nb}kb denoted by e{KB,n{B,r')). Decryption is similarly 
denoted by d{A,M). Raising a message M to the power of an exponent E 
(i.e., ) is denoted by exp{M,E), e.g., g^'^ is denoted by exp{g,n{B,r')). 
Associative-commutative multiplication of nonces is denoted by A secret 
generated by a principal is denoted by sec{A,r), where r is a unique variable 
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of sort Fresh. The protocol- specific signature S contains the following subsort 
relations (Name, Nonce, Secret, Enc, Exp < Msg) and (Gen, Exp < GenvExp) and 

the following operators: 

a,b,i : — > Name g :— > Gen 

n : Name x Fresh — > Nonce sec : Name x Fresh — > Secret 

_ ; _ : Msg X Msg Msg e, d : Key x Msg Enc 

exp : GenvExp x Nonce — > Exp : Nonce x Nonce — > Nonce 

In the following we will use letters A, B for variables of sort Name, letters r, r', r" 
for variables of sort Fresh, and letters M, Mi, M2, Z for variables of sort Msg; 
whereas letters X, Y will also represent variables, but their sort will depend 
on the concrete position in a term. The encryption/decryption cancellation 
properties are described using the equations 

e{X, d{X, Z)) = Z and d{X, e(X, Z)) = Z 

in E-p . The key algebraic property of exponentiation, z^" = z^*^ , is described 
using the equation 

exp{exp{W, Y),Z) = exp{W, Y * Z) 

in E-p (where W is of sort Gen instead of the more general sort GenvExp in order 
to provide a finitary narrowing-based unification procedure modulo E-p, see 0^ 
for details on this concrete equational theory). Although multiplication modulo 
a prime number has a unit and inverses, we have only included the algebraic 
properties that are necessary for Dijfie-Hellman to work. The two strands V 
associated to the protocol roles, Alice and Bob, shown above are: 

■.■.r,r' ■.■.[{A-B-exp{g,n{A,r)))+, {B-A-X)-, {e(exp{XMA,r)), sec{A,r')))+] 

:: r" :: [ {A; B; Y)- , {B; A; exp{g, n{B, /')))+, {e{exp{Y, n{B, r")), SR)-] 

The following strands describe the intruder abilities according to the Dolev- Yao 
attacker's capabilities f^j. 

• [M^ , , {Mi; M2)+] Concatenation 

• [{Mi; M2)^ , M^] Left-deconcatenation 

• [{Mi; M2)~ , M2\ Right- deconcatenation 

• [ ,M- ,e{K,M)+ ] Encryption 

• [ K-,M-,d{K,M)+ ] Decryption 

• [ M:[,M^, {Ml * Af2)+ ] Multiplication 

• [ M^ , M2 , exp{Mi, M2)^ ] Exponentiation 
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• [ 5^ ] Generator 

• [ A'^ ] All names are public 

• :: r'" :: [ n{i,r"')^ ] Generation of intruder nonces 

Note that the intruder cannot extract information from either an exponentiation 
or a product of exponents, but can only compose them. Also, the intruder cannot 
extract information directly from an encryption but it can indirectly by using a 
decryption and the cancellation of encryption and decryption, which is an alge- 
braic property, i.e., [K-,e{K,M)-,M+] =Et, [K' , e{K, M)' , d{K, e{K,m))+]. 

3.1. Backwards Reachability Analysis 

Our protocol analysis methodology is then based on the idea of backwards 
reachability analysis, where we begin with one or more state patterns corre- 
sponding to attack states, and want to prove or disprove that they are un- 
reachable from the set of initial protocol states. In order to perform such a 
reachability analysis we must describe how states change as a consequence of 
principals performing protocol steps and of intruder actions. This can be done 
by describing such state changes by means of a set R-p of rewrite rules, so that 
the rewrite theory {Y.-p , E-p , R-p) characterizes the behavior of protocol V mod- 
ulo the equations E-p. In the case where new strands are not introduced into 
the state, the corresponding rewrite rules in R-p are as follow^ where L, Li, L2 
denote lists of input and output messages (-t-m,— to), IK, IK' denote sets of 
intruder facts {mEl.m^I), and SS, SS' denote sets of strands: 

[L I M-,L'] Sz SS k {Mel, IK) [L,Kr \ L'] k SS k {Mel, IK) (1) 
[L 1 M+, L'] k SS k IK [I, M+ I I'] k SS k IK (2) 

[L I M+,L'] k SS k {Mil, IK) [I,M+ \ I'] k SS k {Mel, IK) (3) 

In a forward execution of the protocol strands. Rule ([T]) describes a message 
reception event in which an input message is received from the intruder; the 
intruder's knowledge acts in fact as the only channel through which all commu- 
nication takes place. Rule ^ describes a message send in which the intruder's 
knowledge is not increased; it is irrelevant where the message goes. Rule ^ de- 
scribes the alternative case of a send event such that the intruder's knowledge 
is positively increased. Note that Rule ([3| makes explicit when the intruder 
learned a message M, which was recorded in the previous state by the negative 
fact M^I. A fact M can be paraphrased as: "the intruder does not yet know 
M, but will learn it in the future" . This enables a very important restriction 
of the tool, expressed by saying that the intruder learns a term only once [4] : 
if the intruder needs to use a term twice, then he must learn it the first time 



^To simplify the exposition, we omit the fresh variables at the beginning of each strand in 
a rewrite rule. 



8 



it is needed; if he learns a term and needs to learn it again in a previous state, 
found later during the backwards search, then the state will be discarded as 
unreachable. Note that Rules ([l])-([3]) are generic: they belong to TZ-p for any 
protocol v. 

It is also the case that when we are performing a backwards search, only the 
strands that we are searching for are listed explicitly: extra strands necessary to 
reach an initial state are dynamically added to the state by explicit introduction 
through protocol-specific rewrite rules (one for each output message in an 
honest or intruder strand in S-p) as follows: 

for each [ h, u+, h ] £ Sv : [ h \ u+ ,h ] Sz SS Sz {u<^l, IK) SSk.{u£X,IK) (4) 

where u denotes a message, denote lists of input and output messages 

{+m,—m), IK denotes a set of intruder facts (mGl,TO^I), and SS denotes a 
set of strands. For example, intruder concatenation of two learned messages, 
as well as the learning of such a concatenation by the intruder, is described as 
follows: 

[Mr,M2" I (Mi;M2)+] & SS & ({Mi; Mi) ^1, IK) ^ SS Sz {{Mi; M2) el, IK) 

This rewrite rule can be understood, in a backwards search, as "in the current 
state the intruder is able to learn a message that matches the pattern Mi; M2 
if he is able to learn message Mi and message M2 in prior states" . In summary, 
for a protocol V, the set R-p of rewrite rules obtained from the protocol strands 
S-p that are used for backwards narrowing reachability analysis modulo the 
equational properties E-p is R-p = {([!]), ([2|,([3])}U(|4|. These rewrite rules give 
the basic execution model of Maude- NPA. However, as we shall see, it will later 
be necessary to modify them in order to optimize the search. In later sections of 
this paper we will show how these rules can be modified to optimize the search 
while still maintaining completeness. 

On the other hand, the assumption that algebraic properties are expressed as 
equational theories E — E'WAx whose equations E' are confluent, coherent, and 
terminating rewrite rules modulo regular equational axioms Ax such as commu- 
tativity (C), associativity-commutativity (AC), or associativity-commutativity 
plus identity {ACU) of some function symbols, implies some extra conditions 
on the rewrite theory R-p (see @]). Namely, for any term mGl (resp. term m~) 
and any £^',^a;-irreducible substitution a, a{m)Gl (resp. (cr(m))~) must be 
i?', Ax-irreducible. This is because many of our optimization techniques rely on 
the assumption that terms have a unique normal form modulo a regular equa- 
tional theory, and achieve their results by reasoning about the normal forms of 
terms. 

Finally, states have, in practice, another component containing the actual 
message exchange sequence between principal or intruder strands (i..e, all the 
expressions exchanged between the honest and intruder strands). We do 
not make use of the message exchange sequence until Section [4.7.2[ so we delay 
its introduction until there. 

The way to analyze backwards reachability is then relatively easy, namely, 
to run the protocol "in reverse." This can be achieved by using the set of rules 
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i?p , where v — >■ u is in iff u — > v is in Rp . Reachabiiity anaiysis can be 
performed symbolically, not on concrete states but on symbolic state patterns 
[t{xi, . . . ,Xn)]E-p by means of narrowing modulo E-p (see Section [2]). We call 
attack patterns those states patterns (i.e., terms with logical variables) used to 
start the narrowing-based backwards reachability analysis. An initial state is a 
state where all strands have their vertical bar at the beginning and there is no 
positive fact of the form u€l for a message term u in the intruder's knowledge. 
If no initial state is found during the backwards reachability analysis from an 
attack pattern, the protocol has been proved secure for that attack pattern with 
respect to the assumed intruder capabilities and the algebraic properties. If an 
initial state is found, then we conclude that the attack pattern is possible and a 
concrete attack can be inferred from the exchange sequence stored in the initial 
state. Note that an initial state may be generic, in the sense of having logical 
variables for those elements that are not relevant for the attack. 

Example 2. (Example^ continued) The attack pattern that we are looking for 
is one in which Bob completes the protocol and the intruder is able to learn the 
secret. The attack state pattern to be given as input to Maude-NPA is: 

:: r' :: [ {A; B; F)", (B; A; exp{g, n(B, r'))) + , {e{exp{Y, n{B, r')), sec{a, r")))- \ nil ] 
k SS k {sec{a,r")el, IK) 

Using the above attack pattern Maude-NPA is able to find an initial state of the 
protocol, showing that the attack state is possible. Note that this initial state is 
generalized to two sessions in parallel: one session where Alice (i.e., principal 
named a) is talking to another principal B' — in this session the intruder gets a 
nonce n{a,r) originated from a — and another session where Bob (i.e., principal 
named b) is trying to talk to Alice. If we instantiate B' to be b, then one 
session is enough, although the tool returns the most general attack. The strands 
associated to the initial state found by the backwards search are as follows: 

[nil I exp{g,n{a,r)))^ , Z~ , exp{g, Z * n{a,r))^] & 

[nil I exp{g, Z * n(a, r))~ , e{exp{g, Z * n(a, r)), sec{a, r"))~ , sec{a, r")+] & 
[nil I exp{g, n{b, r')))^ ,W~ , exp{g, W * n{b, r-'))+] & 

[nil I exp{g, W * n{b,r'))^ , sec{a, r")~ , e{exp{g, W * n{b, r')), sec{a, r"))'^] & 

[nil I {a;b; exp{g,n{b,r')))~ , (b; exp{g,n{b,r')))^] & 

[nil I {b;exp{g,n{b,r')))' ,exp{g,n{b,r'))+] & 

[nil [ {a-B';exp{g,n{a,r)))~,{B';exp{g,n{a,r)))'^] & 

[nil I {B';exp{g,n{a,r)))^,exp{g,n{a,r))'^] & 

:: r .: 

[nil I (a; b; exp{g, W))' , (a; fe; exp{g, n{b, r')))^ ,e{exp{g, W * n{b, r')), sec{a, r"))^] & 
// 

:: r , r :: 

[nil I {a;B'; exp{g, n{a,r)))'^ , (a; B'; exp{g, Z))~ , e{exp{g, Z * n{a,r)), sec{a, r"))^] 
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Note that the last two strands, generating fresh variables r,r',r", are protocol 
strands and the others are intruder strands. 

The concrete message exchange sequence obtained by the reachability analysis 
is the following: 

1. {a;b-exp{g,W))- , n'-ern(a nin r\\\+ '^Ha]B';exp{g,Z))- 

2. (a; h- exp{g, n{b, r')))+ „ ' "^Z '^.^ ^' 'J' ' - 19.e(exp(5, Z * n{a, r)), sec{a, r")) + 
Ma 6; eMg nib r')^ e^pi^nM)^ 20-e(e.p(. Z . nia r)),secia, r"))" 

4. ;e.p <;,n ,r + 13. e.p P 4« r " ^ -)) 

5. (b;exp{g,n{b,r ))) , \^^+ 22. sec(a,r )^ 
y, ^^y' ^ Y U.{exp{g,n{a,r)))+ ) ' .J 

G.iexpig, nib, r )))+ _ 23.exp(g, H/ * n(6, r )) 

7. {exp{g,n{b,r')))- ^M^^p{g,n{a,r))) 24.sec(a, r")" 

8. H^- • + 25.e(e:rp(5, * n(6, r'), 6-ec(a, r")) + 

9. ea;p(3, W * n{b, r'))+ "^''^^P^y, ^ * n(a, r)) 2&.e(exp{g, W * n{b, r')).sec{a, r"))" 

Step 1) describes Bob (i.e., principal named b) receiving an initiating message 
from the intruder impersonating Alice. Step 2) describes Bob sending the re- 
sponse, and Step 3) describes the intruder receiving it. Steps 4) through 9) 
describe the intruder computing the key exp{g, W * n{b, r')) she will use to com- 
municate with Bob. Step 10) describes Alice initiating the protocol with a prin- 
cipal B' . Step 11) describes the intruder receiving it, and steps 11) through 
17) describe the intruder constructing the key exp{g, Z * n{a, r)) she will use to 
communicate with Alice. Steps 18) and 19) describe Alice receiving the response 
from the intruder impersonating B' and Alice sending the encrypted, message. 
Steps 20) through 22) describe the intruder decrypting the message to get the 
secret. In steps 23) through 25) the intruder re-encrypts the secret with the key 
she shares with Bob and sends it, and in Step 26) Bob receives the message. 

Note that there are some intruder strands missing in the initial state because 
certain terms are assumed to be trivially generable by the intruder, and so not 
searched for; namely, intruder strands generating variable Z, variable W, term 
{a;b;exp{g,W)), and term {a; B' ; exp{g , Z)) . Variables Z and W can be filled 
in with any nonce, for instance nonces generated by the intruder, such asW = 
n{i, r'") and Z = n{i, r"") in the following way: 

:: r'" :: [nil \ {n{i,r"'))+] & :: r"" :: [nil | (n(i, r""))+] 

Also, note thai nonces W and Z are used by the intruder to generate messages 
(a; b] exp{g, W)) and (a; B'\ exp{g, Z)) in the following way: 

[nil 1 (a)+] & [nil | (6)+] & [nil | (3')+] & 

[nil I (<?)+] & [nil I (g)-,W-,expig,W)+] & [nil | (g)- , Z- ,exp{g, Z)+] & 
[nil I {a)-,{b)-,{a;b)+] & [nil | {a;b)- ,{exp{g,W))- ,{a;b;exp{g,W))+] & 
[nil I {a)-,{B')-,{a;B')+] & [nil \ {a; B')- Aexp{g, Z))- ,{a;B';exp{g,Z))+] 



11 



4. State Space Reduction Techniques 

In this section we present Maude-NPA's state space reduction tecliniques. 
Before presenting them, we formaUy identify two classes of states that can be 
safely removed: unreachable and redundant states. We begin the presentation 
with the notion of grammars, and its associated state space reduction technique, 
which is the oldest Maude-NPA technique and does much to identify and remove 
non-terminating search paths. In many cases (although not all) this is enough 
to turn an infinite search space into a finite one. We then describe a number 
of simple techniques which remove states that can be shown to be unreachable, 
thus saving the cost of searching for them. We conclude by describing two 
powerful techniques for eliminating redundant states: subsumption partial order 
reduction and the super-lazy intruder, and we prove their completeness. 

First, the Maude-NPA satisfies a very general completeness result. 

Theorem 2 (Completeness). Given a topmost rewrite theory TZ-p = 
(Ti-p , E-p , R-p) representing protocol V, and a non-initial state St (with logi- 
cal variables), if there is a substitution a and an initial state Stmi such that 
^{St) — ^t,-i p Stini, then there are substitutions cr', p and an initial state St[^^ 

such that St S'^i™, <J =E-p o' o p, and St^ni =Ep p{St'^^^). 

Our optimizations are able to identify two kinds of unproductive states: 
unreachable and redundant states. 

Definition 1 (Unreachable States). Given a topmost rewrite theory TZ-p = 
{Y^-p , E-p , Rp) representing protocol V, a state St (with logical variables) is un- 
reachable ij there is no sequence St T^—i St^Yij, leading to an initial state 

Stini ■ 

Definition 2 (Redundant States). Given a topmost rewrite theory TZ-p = 
((E-p , Ep> , Rp>) representing protocol T' and a state St (with logical variables), a 
backwards narrowing step St^^^ ^-i Sti is called redundant (or just state 
Sti is identified as redundant ) if for any initial state Stinn reachable from 
Sti, i.e., Sti I?— 1 El Stinii, there are states St^ and Stijii2, a narrowing 
step St „-i p St2, a narrowing sequence St2 ^* „-i „ Stini2, and a 
substitution p such that ai o 0i —E-p a2 ° 02 ° P and Stinn ^e-p p{Stini2)- 

There are three reasons for wanting to detect unproductive backwards narrowing 
reachability steps. One is to reduce, if possible, the initially infinite search space 
to a finite one, as it is sometimes possible to do with the use of grammars, 
by removing unreachable states. Another is to reduce the size of a (possibly 
finite) search space by eliminating unreachable states early, i.e., before they are 
eliminated by exhaustive search. This elimination of unreachable states can 
have an effect far beyond eliminating a single node in the search space, since 
a single unreachable state may appear multiple times and/or have multiple 
descendants. Finally, if there are several steps leading to the same initial state. 
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as for redundant states, then it is also possible to use various partial order 
reduction techniques that can further shrink the number of states that need to 
be explored. 

4--1- Grammars 

The Maude-NPA's ability to reason effectively about a protocol's algebraic 
properties is a result of its combination of symbolic reachability analysis us- 
ing narrowing modulo equational properties (see Section |2| , together with its 
grammar-based techniques for reducing the size of the search space. The key 
idea of grammars is to detect terms t in positive facts t€l of the intruder's 
knowledge of a state St that will never be transformed into a negative fact 
6{t)^I in any initial state St' backwards reachable from St. This means that 
St can never reach an initial state and therefore it can be safely discarded. Here 
we briefly explain how grammars work as a state space reduction technique 
and refer the reader to [Hill] for further details. Automatically generated gram- 
mars (Gi, . . . , Gm) represent unreachability information (or co-invariants), i.e., 
typically infinite sets of states unreachable from an initial state. These auto- 
matically generated grammars are very important in our framework, since in 
the best case they can reduce the infinite search space to a finite one, or, at 
least, can drastically reduce the search space. 

Example 3. Gonsider again the attack pattern (f) in Example^ After a couple 
of backwards narrowing steps, the Maude-NPA finds the following state: 

[ nil I {M;sec{a,r"))-, {sec{a,r"))+ ] & 

:: r' :: [{A; B;Yy , (B; A; exp{g,n{B,r')))+ j {e{exp{Y,n{B,r')), sec{a,r")))- ] & 
( {M;sec{a,r"))el, e{exp{Y,n{B,r')), sec{a,r"))el, sec{a,r")0 ) 

which corresponds to the intruder obtaining (i.e., learning) the message sec{a, r") 
from a bigger message {M; sec{a,r")), although the contents of variable M 
have not yet been found by the backwards reachability analysis. This process of 
adding more and more intruder .strands that look for terms {M'; M; sec{a,r")) 
{M" ; M' ] M; sec{a,r")) , ... can go on forever. Note that if we carefully check 
the strands for the protocol, we can see that the honest strands either never 
produce a message with normal form "M] secret" or such a message is under 
a public key encryption (and thus the intruder cannot get the contents), so the 
previous state is clearly unreachable and can be discarded. The grammar, which 
is generated by Maude-NPA, capturing the previous state as unreachable, is as 
follows: 

grl M inL => e(K, M) inL . ; 
grl M inL => d(K, M) inL . ; 
grl M inL => (M ; M') inL . ; 
grl M inL => (M' ; M) inL . ; 
grl M notlnl, 

M notLeq exp(g, n(A, r)), 

M notLeq B ; exp(g, n(A, r')) => (M' ; M) inL .) 
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where all the productions and exceptions refer to normal forms of messages w.r.t. 
the equational theory E-p . 

Intuitively, the last production rule in the grammar above says that any term 
with normal form AI'; M cannot be learned by the intruder if the subterm M is 
different from exp{g,n{A,r)) and B]exp[g,n{A,r')) (i.e., it does not match such 
patterns) and the constraint M^I appears explicitly in the intruder's knowledge 
of the current state being checked for unreachability . Moreover, any term of any 
of the following normal forms: e{A,M), d{A,M), {M';M), or {M;M') cannot 
be learned by the intruder if subterm M is also not learnable by the intruder. 

4.2. Public data 

The simplest optimization possible is one that can be provided explicitly by 
the user. When we are searching for some data that we know is easy to learn by 
the intruder, the tool can avoid this by assuming that such data is public. Such 
data is considered public by using a special sort Public and a subsort definition, 
e.g. "subsort Ncune < Public". That is, given a state St that contains an 
expression t£X in the intruder's knowledge where t is of sort Public, we can 
remove the expression tdl from the intruder's knowledge, since the backwards 
reachability steps taken care of such a tGl are necessary in order to lead to 
an initial state but their inclusion in the message sequence is superfluous. The 
completeness proof for this optimization is trivial and thus omitted. 

4.3. Limiting Dynamic Introduction of New Strands 
As pointed out in Section 3.1 rules of type ^ allow the dynamic introduc- 



tion of new strands. However, new strands can also be introduced by unification 
of a state containing a variable SS denoting a set of strands and one of the rules 
of ([1]), ([2]), and ([3]), where variables L and L' denoting lists of input /output 
messages will be introduced by instantiation of SS. The same can happen with 
new intruder facts of the form X€l, where X is a variable, by instantiation of 
a variable IK denoting the rest of the intruder knowledge. 

Example 4. Consider a state St of the form SS k^IK where SS denotes a set 
of strands and IK denotes a set of facts in the intruder's knowledge. Now, 
consider Rule ([T]) .' 

SS' k [L I M-,L'] & {Mel, IK') SS' k [L, Nr \ L'] k {Mel, IK') 

The following backwards narrowing step applying such a rule can be performed 
from St = SSklK using the unifier a = {SS ^ SS'k[L,M~ \ L'],IK <^ 
{Mel, IK')} 

SS k IK -^R^E SS' k [L I M-,L'] k {Mel, IK') 

but this backwards narrowing step is unproductive, since it is not guided by the 
information in the attack state. Indeed, the same rule can be applied again using 
variables SS' and IK' and this can be repeated many times. 
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In order to avoid a huge number of unproductive narrowing steps by useless 
instantiation, we allow the introduction of new strands and/or new intruder 
facts only by rule application instead of just by unification. For this, we do two 
things: 

1. we remove any of the following variables from attack patterns: SS denot- 
ing a set of strands, IK denoting a set of intruder facts, and L, L' denoting 
a set of input /output messages; and 

2. we replace Rule ([!]) by the following Rule ([s]), since we do no longer have 
a variable denoting a set of intruder facts that has to be instantiated: 

SSk[L\ M- , L'] k {Mel, IK) -^SSk[L, Nr \ L'\ k IK (5) 

Note that in order to replace Rule ([I]) by Rule ^ we have to assume that the in- 
truder's knowledge is a set of intruder facts without repeated elements, i.e., the 
union operator _,_ is ACUI (associative-commutative-identity- idempotent). 
This is completeness-preserving, since it is in line with the restriction in [3] 
that the intruder learns a term only once. 

Furthermore, one might imagine that Rule (|3| and rules of type Q must 
also be modified in order to remove the Mel expression from the intruder's 
knowledge of the right-hand side of each rule. However, this is not so, since, by 
keeping the expresion Msl, we force the backwards application of the rule only 
when there is indeed a message for the intruder to be learned. This provides 
some form of on-demand evaluation of the protocol. 

The completeness proof for this optimization is trivial and thus omitted. 
However, since we have modified the set of rules used for backwards reachability, 
we prove that such modification has the same reachability capabilities. The set 
of rewrite rules actually used for backwards narrowing is 

Q. The following result ensures that R-p and R-p compute similar initial states 
by backwards reachability analysis. Its proof is straightforward. 

Definition 3 (Inclusion). Given a topmost rewrite theory TZ-p = (Sp, Ep>, Rp>) 
representing protocol V, and two states Sti,St2, we abuse notation and write 
Sti Qe-p St2 to denote that every state element (i.e., strand or intruder fact) 
in Sti appears in St2 (modulo E-p). 

Proposition 1. Let TZ-p — {Y,-p , E-p , R-p) be a topmost rewrite theory repre- 
senting protocol V. Let St — ss k SS k {ik, IK) where ss is a term repre- 
senting a set of strands, ik is a term representing a set of intruder facts, SS 
is a variable for strands, and IK is a variable for intruder knowledge. Let 
St' = sskik. If there is an initial state Stini and a substitution a such that 
St r?— 1 S^ini-' then there is cm initial state St'^ and two substitutions o' ^ 

p such that St' ^* i St'^^^^, a ^e-p cr' ° P, and p{St'^.^^) C^^ St^^i. 

4-. 4- Partial Order Reduction Giving Priority to Input Messages 

The different rewrite rules on which the backwards narrowing search from 
an attack pattern is based are in general executed non-deterministically. This 
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is because the order of execution can make a difference as to what subsequent 
rules can be executed. For example, an intruder cannot receive a term until it 
is sent by somebody, and that send action within a strand may depend upon 
other receives in the past. There is one exception. Rule ([S]) (originally Rule 
Q), which, in a backwards search, only moves a negative term appearing right 
before the bar into the intruder's knowledge. 

Example 5. For instance, consider the attack pattern (f) in Example [£| 
Since the strand in the attack pattern has the input message 
{e{exp{Y, n{B, r')), sec{a, r")))^ but also has the intruder challenge sec[a, r")£l, 
there are several possible backwards narrowing steps: some processing the in- 
truder challenge, and Rule ([5| processing the input message. 

The execution of Rule ([5| in a backwards search does not disable any other 
transitions; indeed, it only enables send transitions. Thus, it is safe to execute 
it at each stage before any other transition. For the same reason, if several 
applications of Rule [5] are possible, it is safe to execute them all at once before 
any other transition. Requiring all executions of Rule [5] to execute first thus 
eliminates interleavings of Rule [5] with send and receive transitions, which are 
equivalent to the case in which Rule [s] executes first. In practice, this typi- 
cally cuts down in half the search space size. The completeness proof for this 
optimization is trivial and is thus omitted. 

Similar strategies have been employed by other tools in forward searches. For 
example, in (TH], a strategy is introduced that always executes send transitions 
first whenever they are enabled. Since a send transition does not depend on any 
other component of the state in order to take place, it can safely be executed 
first. The original NPA also used this strategy; it had a receive transition 
(similar to the input message in Maude-NPA) which had the effect of adding 
new terms to the intruder's knowledge, and which always was executed before 
any other transition once it was enabled. 

^.5. Early Detection of Inconsistent States 

There are several types of states that are always unreachable or inconsistent. 

Example 6. Consider again the attack pattern (f ) in Example^ After a cou- 
ple of backwards narrowing steps, the Maude-NPA finds the following state, 
where the intruder learns e{exp{Y,n{B,r')), sec{a,r")) by assuming she can 
learn exp{Y,n{B,r')) and sec(a,r") and combines them: 



[nil I {exp{Y,n{B,r')))- ,{sec{a,r"))- ,{e{exp{Y,n{B,r')),sec{a,r")))+ ] & 
:: r' :: 

[ {A-B-Y)-,{B-A-exp{g,n{B,r')))+ \ {e{exp{Y,n{B,r')), sec{a,r"))r ] & 
(sec(a, r")£T, exp{Y, n{B, r'))el, e{exp{Y, n{B, r')), sec{a, r"))^l) 
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From this state, the intruder tries to learn sec{a, r") by assuming she can 
learn messages {e{exp{Y,n{B,r')), sec{a,r"))) and exp{Y,n{B,r')) and com- 
bines them in a decryption: 

[nil I {exp{Y,n{B,r')))-,{e{exp(Y,n{B,r')),sec{a,r")))-,{sec{a,r"))+ ] & 
[nil I {exp{Y,n(B,r')))',{sec{a,r"))-,{e{exp{Y,n(B,r')),sec{a,r")))+ ] Sz 
:: r :: 

[ iA;B;Y)-,{B;A;exp(g,n{B,r')))+ \ (e(exp(y, n(B, r')), sec(o, r")))" ] & 
{sec{a,r")€l, exp{Y,n{B,r'))eI, 

e{exp{Y, n{B, r')), sec{a, r" j)el, e{exp{Y, n{B, r')), sec(a, r"))^I) 

But then this state is inconsistent, since we have both the challenge 
e{exp{Y,n{B,r')), sec{a,r"))€l and the already learned message 
e{exp{Y, n{B, r')), sec{a, r"))^T) at the same time, violating the learn-only-once 
condition in Maude-NPA. 

If the Maude-NPA attempts to search beyond an inconsistent state, it will 
never find an initial state. For this reason, the Maude-NPA search strategy 
always marks the following types of states as unreachable, and does not search 
beyond them any further: 

1. A state St containing two contradictory facts t^I and t^I (modulo E-p) 
for a term t. 

2. A state St whose intruder's knowledge contains the fact t^I and a strand 
of the form [mf , . . . ,t~ , . . . , 'm^_^ \ , . . . , mj] (modulo E-p). 

3. A state St containing a fact tGl such that t contains a fresh variable r and 
the strand in St indexed by r, i.e., :: ri, . . . , r, . . . , r^; :: [m^ , . . . , rn^^-^ \ 
m^,...,m^], cannot produce r, i.e., r is not a subterm of any output 
message in mf , . . . , mf_ ^ . 

4. A state St containing a strand of the form [mf , . . . , . . . , | rnf , 
. . . ,mj] for some term t such that t contains a fresh variable r and the 
strand in St indexed by r cannot produce r. 

Note that case[2]will become an instance of case[T]after some backwards narrow- 
ing steps, and the same happens with cases |4] and [3] The proof of inconsistency 
of cases [T] and [3] is straightforward. 

4-6. Transition Subsumption 

Partial order reduction (POR) techniques are common in state exploration. 
However, POR techniques for narrowing-based state exploration do not seem to 
have been explored in detail, although they may be extremely relevant and may 
afford greater reductions than in standard state exploration based on ground 
terms rather than on terms with logical variables. For instance, the simple 
concept of two states being equivalent modulo renaming of variables does not 
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apply to standard state exploration, whereas it does apply to narrowing-based 
state exploration. In Escobar and Meseguer studied narrowing-based state 
exploration and POR techniques, which may transform an infinite-state system 
into a finite one. However, the Maude-NPA needs a dedicated POR technique 
applicable to its specific execution model. 

Let us motivate this POR technique with an example before giving a more 
detailed explanation. 

Example 7. Consider again the attack pattern (f ) in Example^ After a couple 
of backwards narrowing steps, the Maude-NPA finds the state (|) of Example^ 

[nil i exp{Y,n{B,r'))~,sec{a,r"y,(e{exp{Y,n(B,r')),secia,r")))+ ] & 
:: r' :: 

[ {A;B;Y)-,{B;A-exp{g,n{B,r')))+ \ {e{exp{Y,n{B,r')), sec{a,r")))- ] & 
(sec(a, r")Gl, exp{Y, n(B, r'))£X, e{exp{Y, n{B, r')), sec(a, r"))0) 

However, the following state is also generated after a couple of narrowing steps 
from the attack pattern, where, thanks to the equational theory, variable Y is 
instantiated to exp{G,N) for G a generator -indeed the constant g — and N a 
nonce variable: 

[ nil j exp{G,n{B,r'))- ,N- ,exp{G,N *n{B,r'))+ ] & 

[ nil I exp{G,N *n{B,r'))- ,sec{a,r")' ,{e{exp(G,N *n[B,r')),sec{a,r")))+ ] & 
::r' :: [ {A; B-exp{G, N))' ,{B- A-exp{g,n{B ,r'))) + 

I {e{exp{G,N * n{B,r')),aec{a,r")))- ] & 
{sec(a,r")£T, exp{G,n{B,r')€l, N€X, 

exp{G, N * n{B, r')^I, e{exp{G, N * n{B, r')), sec(a, r"))^I) 

However, the unreachability of the second state is implied ( modulo E-p ) by the 
unreachability of the first state; unreachability in the sense of Definition^ In- 
tuitively, the challenges present in the first state that are relevant for backwards 
reachability are included in the second state, namely, the challenges sec{a,r")€l 
and exp{Y,n{B,r')^X. Indeed, the unreachability of the following "kernel" state 
implies the unreachability of both states, although this kernel state is never com- 
puted by the Maude-NPA: 

::r' :: [ {A-B-Y)-,{B-A-exp{g,n{B,r')))+ \ {e{exp{Y,n{By)),sec{a,r")))- ] & 
{sec{a,r")£X, exp{Y,n(B,r')el) 

Note that the converse is not true, i.e., the second state does not imply the first 
one, since it contains one more intruder item relevant for backwards reachability 
purposes, namely TVel. 
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Let us now formalize this state space reduction and prove its completeness. 
First, an auxiliary relation Sti>St2 identifying whether Sti is smaller than St2 
in terms of messages to be learned by the intruder. 

Definition 4. Given a topmost rewrite theory TZ-p = {Yi-p ^ E-p , R-p) represent- 
ing protocol V , and two non-initial states Sti and St2, we write Sti > St2 (or 
St2 < Sti) if each intruder fact of the form tGl in Sti appears in St2 (modulo 
E-p ) and each non-initial strand in Sti appears in St2 ( modulo E-p and with the 
vertical bar at the same position). 

Then, we define the relation Sti ► St2 which extends Sti > St2 to the case 
where Sti is more general than St2 w.r.t. variable instantiation. 

Definition 5 ('P-subsumption relation). Given a topmost rewrite theory 

TZ-p = (S-p, E-p, R-p) representing protocol V and two non-initial states Sti, St2, 
we write Sti ► St2 (or St2 < Sti) md say that St2 is 7^-subsumed by Sti if 
there is a substitution 9 s.t. 6{Sti) > St2- 

Note that we restrict the relation ► to non-initial states because, otherwise, 
an initial state will imply any other state, erroneously making the search space 
finite after an initial state has been found. 

The following results provide the appropriate connection between 
"P-subsumption and narrowing transitions. First, we consider the simplest case 
where, given two non-initial states Sti,St2 such that Sti ► St2, a narrow- 
ing step on St2, yielding state St'2, does not affect the transition subsumption 
property ► and thus Sti ► St'2. The proof is straightforward. 

Lemma 1. Given a topmost rewrite theory TZ-p = CE-p , E-p , R-p) representing 

protocol V and two non-initial states Sti, St2. If (i) there is a substitution 6 s.t. 
9{Sti)> St2, i.e., Sti ► St2, (ii) there is a narrowing step St2 ^-i e-p ^^2> 
(Hi) each intruder fact of the form tGT in <72{9{Sti)) appears in St^ (modulo 
E-p ) and (iv) each non-initial strand in <J2{0{Sti)) appears in St'2 (modulo E-p ), 
then (j2{9{Sti))t> St'2, i-^-, Sti ► St'2. 

Second, we consider what happens when, given two non-initial states Sti, St2 
such that Sti ► St2, a narrowing step on St2, yielding state St'2, does affect the 
transition subsumption property ► and thus Sti >^ St'2. The proof is straight- 
forward. 

Lemma 2. Given a topmost rewrite theory TZ-p = {J^-p , E-p , R-p) representing 

protocol T' and two non-initial states Sti, St2. If (i) there is a substitution 9 s.t. 
9{Sti)t> St2, i.e., Sti ► St'2, (ii) there is a narrowing step St2 e-p ^^'2! 

and (Hi) (j2{9{Sti)) /(>St'2, i.e., Sti St'2, then either (a) there is an intruder 
fact of the form tEl in cr2{9{Sti)) that does not appear in St'2 (modulo E-p), 
or (b) there is a non-initial strand in (J2{9{Sti)) that does not appear in St'2 
(modulo E-p ). 
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Now, we can consider both cases of Lenima[2]separately: either an expression 
t€X in St'2 or a non-initial strand in St'2, not appearing in the instantiated 
version of Sti. First, the case where an expression i€El in St'2 does not appear 
in the instantiated version of Sti. 

Lemma 3. Given a topmost rewrite theory TZ-p = {T,-p , E-p , R-p) representing 
protocol V and two non-initial states Sti^ St2- If (i) there is a substitution 6 s.t. 
9{Sti) t> St2, i-e., Sti ► St2, (ii) there is a narrowing step St2 '^^.^ ^-1 St'2, 
and (Hi) there is an intruder fact of the form iel in o'2{0{Sti)) that does not 
appear in St'2 (fnodulo Ep ), then (a) t<^T does appear in St'2 (modulo E-p ) and 
(b) there is a state St'i and a substitution ai such that Sti ^-1 St'i and 
either St'i is an initial state or there is a substitution p s.t. p{St'i) > St'2, i.e., 
Sti ^ St2 , 

Proof. We prove the result by considering the different rules applicable to St2 
(remember that in 7?,, rewriting and narrowing steps always happen at the top 
position). Note that property (a) is immediate because rules in R-p do not 
remove expressions of the form mGX. Note also that if t£l does appear in St2 
(modulo E-p) and t^I does appear in St'2 (modulo E-p), then only Rule ([s]) or 
rules of type (|4| have been applied to St2 as follows: 

• Reversed version of Rule (|3]), i.e., St2 ^-1 St'2 using the following 
rule 

[L,M+ I L']kSSk(MeI,IK) [L \ M+ , L']k SS k {M(^I, IK). 

Recall that there is an intruder fact in a2(9{Sti)) of the form tGl for t a 
message term that does not appear in St'2 (modulo E-p) and t =Ej, a2{M). 
Thus, (J2{M)€X does appear in a2{0{St{)) (modulo E-p). Here we have 
several cases: 

— If the strand a2{[L,M^ \ L']) appears in a2{0{Sti)), then the very 
same narrowing step can be performed on Sti, i-e., there exist a'i,p 
such that Sti ^-1 St'i with the same rule and 9 o a2 =e-p 
ai o p. Thus, either St'i is an initial state or p{St'i) > St'2, since: 
(i) each positive intruder fact in o'2{0{Sti)) of the form u£X for u a 
message term, except (72(M)eI, appears in p{St'i) (modulo E-p), (ii) 
CF2{M)^X appears in p{St'i) (modulo E-p), (iii) each non-initial strand 
in a2{d{Sti)), except a2{[L,M^ \ L']), has not been modified and 
appears m p{St'i) as well (modulo Ev), and (iv) for a2{[L,M+ \ L']) 
in a2{9{Sti)), p'{[L \ M+,L']) appears in p{St'i) and in St'2. 

— If the strand a2{[LmM^ \ L']) does not appear in a2{9{Sti)), then 
the strand a2{[L,M^ \ L']) corresponds to a strand S-p in the pro- 
tocol specification that had been introduced via a rule of the set 
Q, where the strand's bar was clearly more to the right than in 
<J2{[L, A/+ I L']). Note that it cannot correspond to a strand included 
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originally in the attack pattern, because we assume that Sti and St2 
are states generated by backwards narrowing from the same attack 
state and then both Sti and St2 should have the strand. There- 
fore, since the strand (T2i[L, M+ | L']) corresponds to a strand in S-p 
and the set Q contains a rewrite rule for each strand of the form 
[h, w+, ^2 ] in 5-p, there must be a rule a in Q introducing a strand 
of the form [ Zi, I2 ] and there must be substitutions ai,p such 
that 5^1 -^^^ ^-1 St'i using the rule a and 9oa2 =e-p ciop. Thus, 
either St'^ is an initial state or p{St[)t>St'2, since: (i) each positive in- 
truder fact in a2{d{Sti)) of the form uGX for u a message term, except 
0'2{M)gX, appears in p{St'i) (modulo -E73), (ii) a2{M)^I appears in 
p{St'^) (modulo E-p), (iii) each non-initial strand in a2{0{Sti)) has 
not been modified and appears in p{St[) as well (modulo E-p), and 
(iv) (T2([ h I u+, I2 ]) appears in p{St[) and in St2- 

• Rules in Q, i.e., St2 ^-i e-p ^^'2 using a rule of the form 

{SSk{u(^I,IK) ^ [h I u+,l2\^SSk{uiIJK) \ [li,u+ M] e V}. 

Recall that there is an intruder fact in (J2{0{Sti)) of the form tel for t a 
message term that does not appear in (modulo E-p) and t =E-p 172 (m), 
where u is the message term used by the rewrite rule. Thus, a2{u)€l does 
appear in (72{0{Sti)) (modulo E-p). That is, the same narrowing step is 
available from a2{0{Sti)) and there exist ai,p such that Sti -^^^ ^-1 
St'i with the same rule and 9oa2 =e-p ""i ° P- Thus, either St'-^ is an initial 
state or p{St[) > Stj. 

This concludes the proof. □ 

Second, the case where a non-initial strand in S'ij does not appear in the 
instantiated version of Sti. 

Lemma 4. Given a topmost rewrite theory TZ-p = {T,-p , E-p , R-p) representing 
protocol V and two non-initial states Sti, St2. If (i) there is a .substitution 9 s.t. 
9{Sti) t> St2, (ii) there is a narrowing step St2 '^^^ ^-1 St'2, and (iii) there 

is a non-initial strand [nrr^ , . . . ,mf \ m^j^,...,m^] in (J2{9{Sti)) that does 
not appear in St^ (modulo E-p), then (a) (J2\var{St2) = ^d, (b) [mf , . . . ,mf_^ \ 
mf, . . . , m^] does appear in St'2 (modulo E-p ) and (c) there is a state St'i such 
that Sti ^-1 St'i and either St'i is an initial state or St'i > St'2. 

Proof. We prove the result by considering the different rules applicable to 
St2 (remember that in TZ, rewriting and narrowing steps always happen at the 
top position). Note that property (a) is immediate because rules in R-p do 
not remove strands, only move the vertical bar to the left of the sequences of 
messages in the strands. Note also that if [nv^ , . . . , | rnjf^-^, . . . , to^] appears 
in a2{9{Sti)) and [mf , . . . , mf_^ \ mf , . . . , m^] appears in St'2, then only Rule 
([2| or Rule ^ have been applied to St2 as follows: 
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• Reversed version of Rule i.e., St2 ^-i St'2 using the following 
rule 

[L,M+ I L']kSSkIK ^ [L I M+,L']kSSkIK. 

• Reversed version of Rule ([5]), i.e., St2 ^^.^ ^-1 St'2 using the following 
rule 

[L,M- I L']kSSkIK ^ [L \ Ar , L'] k SS k {Mel, IK). 

However, note that (T2\var{St2) ^ both possible rewrite steps. Then, there 
is a state St'i such that Sti ^ ^-1 St'i with the same rule and it is straight- 
forward that either St'^ is an initial state or St'i ^ since only the vertical 
bar has been moved. □ 

Now we can formally define the relation between 7^-subsumption and one 
narrowing step. In the following, ^^"^'^-i „ denotes zero or one narrowing 
steps. 

Lemma 5. Given a topmost rewrite theory TZ-p = {T,-p , E-p , R-p) representing 
protocol V and two non-initial states Sti,St2- If Sti ► St2 and 

St2 

^^(72 E-p '^^2? thtTi thevc is a state St^-y and o, substitution ci such that 
St, ' St'i and either St'^ is an initial state or St'^ ► St'2- 

Proof. Since Sti ► St2, there is a substitution 9 s.t. d{Sti) > St2. If each 
intruder fact of the form t€l in o'2{0{Sti)) appears in St'2 (modulo E-p) and 
each non-initial strand in cr2{S{Sti)) appears in St'2 (modulo E-p), then, by 
Lemma [1] a2{d {Sti)) \> St'2, i.e., Sti ► St'2. Otherwise, Lemma [2] states that 
either (a) there is an intruder fact of the form tel in (J2{S{Sti)) that does not 
appear in St'2 (modulo Ep), or (b) there is a non- initial strand in (J2{6{Sti)) 
that does not appear in St'2 (modulo E-p). For case (a), by Lemmajsj there is 
a state St'i and a substitution ui such that Sti ^^.^^ ^-1 St'i and either St'i 
is an initial state or there is a substitution p s.t. p{St'i) \> St'2. For case (b), by 
Lemma|4j <T2\var{St2) — ^d, and there is a state St'i such that Sti ^-1 St'i 
and either St'i is an initial state or St'i > St'2, i.e., St'i ► St'2. □ 

Preservation of reachability follows from the following main theorem. Note 
that the relation ► is applicable only to non- initial states, whereas the relation 
C_Bp of Definition [3] is applicable to both initial and non-initial states. 

Theorem 3. Given a topmost rewrite theory TZ-p — {Yi-p , Ep , R-p) representing 
protocol V and two states Sti,St2. If Sti ► St2, St^^^ is an initial state, and 
St2 p 5*^2^^, then there is o,ti iTiitzdl state StY^^ and substitutions cti 

and e such that Sti -^*^ Stf\ and e{Stf') Qe-p St^\ 
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Proof. Consider St2 = Uq, Stf-^ = Un, 02 = p\---pn, and C/q „-i „ 

Pi.Kj, ,E-p 

Un- Note that n 7^ 0, since 5^2 cannot be an initial state because Sti ► St2 
implies that both 5^1 and St2 are not initial states. Then, by Lemma [Sj there 
IS i < n such that for each i < j, Ui^i '^p. ^-i E-p ^« ^^'^ there is a step 
U'i 1 / „-i p U'i s.t. U'i ► t/i. Note that [/' is an initial state and there is a 

1 p^,Hp ,Ep t I f- J 

substitution 9 s.t. 9{U'j) Qep Uj Qep Un- n 

This POR technique is used as follows: we keep all the states of the back- 
wards narrowing-based tree and compare each new leaf node of the tree with 
all the previous states in the tree. If a leaf node is 'P-subsumed by a previously 
generated node in the tree, we discard such leaf node. 

4-. 7. The Super- Lazy Intruder 

Sometimes terms appear in the intruder's knowledge that are trivially learn- 
able by the intruder. These include terms initially available to the intruder 
(such as names) and variables. In the case of variables, specially, the intruder 
can substitute any arbitrary term of the same sort as the variable}^ and so there 
is no need to try to determine all the ways in which the intruder can do this. 
For this reason it is safe, at least temporarily, to drop these terms from the 
state. We will refer to those terms as (super) lazy intruder teims. 

Example 8. Consider again the attack pattern (f) in Example^ After a couple 
of backwards narrowing steps, the Maude-NPA finds the following state that 
considers how the intruder can learn sec{a, r") by assuming he can learn a 
message e{K, sec{a,r")) and the key K : 

[ nil I K~, e{K,sec{a,r ")))-, sec{a,r")+ ]& 
:: r :: 

[ {A;B;Y)-,iB-A-expig,n{B,r')))+ j (e(exp(y, n(B, r')), sec(a, r")))" ]& 
{e{exp{Y,n(B,r')),sec{a,r"))el, Kel, e{K,sec{a,r")))el, sec{a,r")(^l) 

Here variable K is a super-lazy term and the tool wouldn't search for values. 
The problem, of course, is that later on in the search the variable K may be- 
come instantiated, in which case the term then becomes relevant to the search. 
Indeed, after some more backwards narrowing steps, the tool tries to unify mes- 
sage e{K, sec{a,r"))) with an output message e(exp{X ,n{A,f)), sec{A,r2)) of 
an explicitly added Bob 's strand of the form 

:: n,r^ :: 

[(A;B;expig,n(A,n))) + , (B;A;X)-, ieiexp(X,n(A,r)), sec(A,r^)))+] 



■^This, of course, is subject to the assumption that the intruder can produce at least one 
term of that sort. But since the intruder is assumed to have access to the network and to all 
the operations available to an honest principal, this is a reasonable restriction to make. 
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thus getting an instantiation for the super-lazy term K, namely 
{K ^ exp{X,n(A,r))}. 

Note that the tool might continue searching for an initial state when a super 
lazy term is properly instantiated, and this would not cause the tool to prove 
an insecure protocol to be secure. However, it would lead to an unacceptably 
large number of false attacks because the contents of variable K are expected 
to be learned by the intruder too. 

We take an approach similar to that of the lazy intruder of Basin et al. [T] 
and extend it to a more general case, that we call super-lazy terms. We note 
that this use of what we here call the super-lazy intruder was also present in 
the original NPA. 

The set C{St) of super-lazy terms w.r.t. a state St is inductively generated 
as a subset C{St) C 7f2(^ U IKq) where IK^ is the basic set of terms known 
by the intruder at the beginning of a protocol execution, 1^ is a subset of the 
variables of St^ and is the set of operations available to the intruder. The idea 
of super-lazy terms is that we also want to exclude from C{St) the set IK^{St) 
of terms that the intruder does not know and all its possible combinations with 
symbols in f2. 

Definition 6 (Super-lazy terms). Let TZ-p — CE-p , E-p , R-p) be a topmost 
rewrite theory representing protocol V . Let LKq be the basic set of terms known 
by the intruder at the beginning of a protocol execution, defined as 
IKq = {t' I [t^] G S-p, t' ^E-p t}- Let il be the set of operations available 
to the intruder, defined as 

= {/ : si • • • Sn ^ s I [(Xi:si)-, . . . , (XfciSk)", (/(^usi, . . .,Xk:s^))+] G Sv}- 

Let St be a state (with logical variables). Let LK'^{St) be the set of terms that 
the intruder does not known at state St, defined as IK^(St) = {m' \ (m^I) S 
St, m' =E-p JT^}- The set C{St) of super-lazy terms w.r.t. St (or simply super- 
lazy terms) is defined as 

1. IKo C C{St), 

2. Var{St) - LK^{St) C C{St), 

3. for each / : Si • • • s,, — > s G J7 and for all iiisi, . . . , ij-iSk G C{St), if 
f{ti:si,...,tk:si,) ^ LK^iSt), then f{ti:si, . . . ,tk:sw) e C{St). 

The idea behind the super-lazy intruder is that, given a term made out of lazy 
intruder terms, such as "a; e(K, Y)" , where a is a public name and K and Y are 
variables, the term "a; e{K, Y)" is also a (super) lazy intruder term by applying 
the operations e and 

Let us first briefly explain how the (super) lazy intruder mechanism works 
before formally describing it. A ghost state is a state extended to allow expres- 
sions of the form ghost (m) in the intruder's knowledge, where m is a super-lazy 
term. When, during the backwards reachability analysis, we detect a state St 
having a super lazy term t in an expression t£l in the intruder's knowledge, we 
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replace the intruder fact t€X in St by ghost{t) and keep the ghost version of St 



in the history of states used by the transition subsumption of Section 4.6 For 



instance, the state (1^) of Example [s] with a super-lazy intruder term K would 
be represented as follows, where we have just replaced KeX by ghost{K): 



[ nil I e{K,sec{a,r")))', sec{a,r")+ ]& 

::r' :: [ {A; B;Y)- , {B; A-exp(g,n{B,r')))+ \ (e(exp(y, n(B, r')), sec(a, r")))" ]& 
(ghost(7i'), e{exp{Y,n{B,r')),sec{a,r"))eI, e{K, sec{a,r")))el, sec{a,r")^I) 

If later in the search tree we detect a ghost state St' containing an expression 
ghost{t) such that t is no longer a super lazy intruder term, then there is a state 
St with an expression ghostiu) that precedes St' in the narrowing tree such that 
the message u has been instantiated to t in an appropriate way and we must 
reactivate such original state St. That is, we "roll back" and replace the current 
state St' ^ containing expression ghost{t), by an instantiated version of state St, 
namely d{St), where t —e-p 0{u). This is explained in detail in Definition 11 
below. 

However, if the substitution 9 binding variables in u includes variables of 
sort Fresh, we have to keep them in the reactivated version of St, since they are 
unique in our model. Therefore, the strands indexed by these fresh variables 
must also be included in the "rolled back" state, even if they were not there 
originally. Moreover, they must have the bar at the place where it was when the 
strands were originally introduced. We show below how this is accomplished. 
Furthermore, if any of the strands thus introduced have other variables of sort 
Fresh as subterms, then the strands indexed by those variables must be included 
too, and so on. That is, when a state St' properly instantiating a ghost expres- 
sion ghost{t) is found, the procedure of rolling back to the original state St 
that gave rise to that ghost expression implies not only applying the bindings 
for the variables of t to St, but also introducing in St all the strands from St' 
that produced fresh variables and that either appear in the variables of t or are 
recursively connected with them. 

Example 9. For instance, after the tool finds an instantiation for variable K , 
the tool rolls hack to the state originating the super-lazy term K as follows, 
where we have copied the explicitly added Bob's strand with the vertical bar at 
the rightmost position because it is the strand generating the Fresh variable r" : 

[ nil I exp{X,n[a,r))~ , e{exp{X,n{a,r), sec{a,r")))~ , sec{a,r")^ ]& 
// 

:: r, r :: 

[ [a; B' ■,exp{g,n{a,ry))^ , {B'-a;X)~, {e{exp{X,n{a,r)), sec{a,r")))^ \ nil ]&i 
::r' :: [ {A; B;Y)- , {B; A-exp(g,n{B,r')))+ \ (e(cxp(y, n(B, r')), sec(a, r")))" ]& 
{e{exp{Y, n{B, r')), sec{a, r"))Gl, exp{X, n{a, r))£X, 
e{exp{X, n{a, r)), sec{a, r")))£l, sec{a, r")0L) 
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In order for the super-lazy intruder mechanism to be able to tell where the 
bar was when a strand was introduced, we must modify the set of rules of type 
Q introducing new strands: 

{[h\u+]Sz{u0,K}-^{ueI,K} I [h, u+ , h] e Sv} (6) 

Note that rules of type Q introduce strands [^i | m+, ], whereas here rules of 
type ^ introduce strands [h \ This slight modification makes it possible 
to safely move the position of the bar back to the place where the strand was 
introduced. However, now the strands added may be partial, since the whole 
sequence of actions performed by the principal is not directly recorded in the 
sjtrand. Therefore, the set of rewrite rules used by narrowing in reverse are now 
i?P ^{(ll), (§,(§} U(l6]). 

First, we define a new relation ^e-p between states, which is similar to 
of Definition [3] but considers partial strands. 

Definition 7 (Partial Inclusion). Given two states Sti,St2, we abuse nota- 
tion and write Sti ^e-p St2 to denote that every intruder fact in Sti appears 
in St2 (modulo E-p ) and that every strand [m^, . . . , m^] in Sti, either appears 
in St2 (modulo E-p ) or there is i g {1, . . . , fc} s.i. = ni^ and [m^, . . . , m^] 
appears in St2 (modulo E-p ). 

The following result ensures that if a state is reachable jvia backwards reachabil- 
ity analysis using R-p , then it is also reachable using R-p . Its proof is straight- 
forward. 

Proposition 2. Let TZ-p = {T,-p , E-p , R-p) be a topmost rewrite theory repre- 
senting protocol V. Let St = ss SS &z {ik, IK) where ss is a term repre- 
senting a set of strands, ik is a term representing a set of intruder facts, 
SS is a variable for strands, and IK is a variable for intruder knowledge. 
If there is an initial state Stini and a substitution a such that 
St ^ Stini, then there is an initial state St':„: and two substitutions 

(T.rij„ ,E-p 

a' , p such that St St'^^i, a ^e-p o p, and piSt'i^i) Ee^ St^nz- 

Now, we describe how to reactivate a state. First, we formally define a ghost 
state. 

Definition 8 (Ghost State). Given a topmost rewrite theory TZ-p = 
(E-p , E-p , R-p) representing protocol V and a state St containing an intruder 
fact t€l such that t is a super-lazy term, we define the ghost version of St, 
written St, by replacing tEl in St by ghost(t) in St. 

Now, in order to resuscitate a state, we need to formally compute the strands 
that are generating Fresh variables relevant to the instantiation found for the 
super-lazy term. 

Definition 9 (Strand Reset). Given a strand s of the form :: ri,...,rk :: 
[m^,... I ...,m^], when we want to move the bar to the rightmost position 
(denoting a final strand), we write s3> =:: ri, . . . , :: [mf , . . . , to J | nil]. 
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Definition 10 (Fresh Generating Strands). Given a state St containing an 
intruder fact ghost(t) for some term t with variables, we define the set of strands 
associated to t, denoted strandss((t), as follows: 

• for each strand s in St of the form :: ri, . . . , :: [m^ , ... | . . . , m^], 
if there is i ^ {l,...,fc} s.t. ri £ Var{t), then s3> is included into 
strandsst(i); or 

• for each strand s in St of the form :: ri, . . . , :: [mf , ... | . . . , mf^], if 
there is another strand s' of the form :: r[, . . . ,r'f,, :: [w^ , ... | . . . , w^,] 
in strandss((i), and there are i £ {1, . . . , fc} and j G {1, . . . , n'} s.t. ri €E 
Var{wj), then is included into strands5t(i). 

Now, we formally define how to resuscitate a state. 

Definition 11 (Resuscitation). Given a topmost rewrite theory TZ-p = 
("E-p , E-p , R-p) representing protocol V and a state St containing an intruder 
fact tGl such that t is a super-lazy term, i.e., St — ss &i {tGl,ik) where ss is 
a term denoting a set of strands and ik is a term denoting the rest of the in- 
truder knowledge. Let St he the ghost version of St. Let St' be a state such that 
St ^* _i St' and ait) is not a super-lazy term. Let Ut = <j\var(t)- The 

a,R-p ,E-p ^ ' 

reactivated (or resuscitated^ version of St w.r.t. state St' and substitution at 
is defined as St — (Tt(ss) &crt(ifc) &strandsst'(crt(t)). 

Let us now prove the completeness of this state space reduction technique. 

Theorem 4. Given a topmost rewrite theory TZp — {Y,p,Ep,Rp) representing 
protocol V and a state St containing an intruder fact t^T such that t is a 
super-lazy term, if there exist an initial state Stini and substitution 9 such that 
St — Sti„i, then fi) there exist a state St' and substitutions t,t' .such 

that St ^* 1 5"^', 9 =E-p tot', and T{t) is not a super-lazy term, and 

T.R'P ,E'p 

(ii) there exist a reactivated version St of St w.r.t. St' and t, an initial state 
St'i^i, and substitutions 9' , p such that St ^* i St'i^i, 9 —e-p 0' ° P, o,nd 

Pi^'^'ini) '^E-p Stini. 

Proof. The sequence from St to Stini can be decomposed into two fragments, 
computing substitutions r, r', respectively, such that r is the smallest part 
of 9 that makes r(t) not a super-lazy term. That is, there is a state St' 
and substitutions r, r' such that r(i) is not a super-lazy term, 9 — t o t' , 
St ^* _i St' _i St^ni, and the sequence St ^* — _i St' 

T,R-p ,E-p t' ,R-p ,Ep T,R-p ^E-p 

can be viewed as St = Sto -^--i „ • • • ^ t^-^ ^ Stk = St' such that 

Tl,ix-p ^Ep Tf^,Rp :Ep 

for all i G {1, . . . , fc — 1}, Ti{t) is a super-lazy term. However, using the com- 
pleteness results of narrowing, Theorem [l] there must be a narrowing sequence 
from St computing such substitution r. That is, there is a state St" such that 
St ^* — _i St" and St" differs from St' (modulo i?-p -equivalence and vari- 

r.Rp .Ep 

able renaming) only in that T(t)Gl is replaced by ghost{T{t)). Let tj = T|var(t)j 
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there exists a substitution r" s.t. r =E.p n o t" . Let St be the resuscitated 
version of St w.r.t. state St" and substitution Tt- Then, by narrowing com- 
pleteness, i.e.. Theorem [l] there exist a state S't-„j and substitutions a, p such 
that St ^* Si r" o r' =£;p o p, and p{St'^^^) ^E-p St^^i- □ 



4-.7.1. Improving the Super- Lazy Intruder. 

When we detect a state St with a super lazy term i, we may want to analyze 
whether the variables of t may be eventually instantiated or not before creating 
a ghost state. The following definition provides the key idea. 

Definition 12 (Void Super-Lazy Term). Given a topmost rewrite theory 
TZ-p — {Ti-p , E-p , R-p) representing protocol V, and a state St containing an in- 
truder fact t€l such that t is a super-lazy term, if for each strand [m^ , ■ ■ ■ , ^f-i I 
mf, . . . , m^] in St and each i G {1, . . . , j — 1}, Var(t) n Var{mi) = 0, and for 
each term w£T in the intruder's knowledge, Var{t) D Var{w) — 0, then, t is 
called a void super- lazy term. 

Proposition 3. Given a topmost rewrite theory IZ-p = (S-p, E-p, R-p) represent- 
ing protocol V and a state St containing an intruder fact t€l such that t is a 
void super-lazy term, let St be the ghost version of St w.r.t. the void super- 
lazy term t. If there exist an initial state St ini and a substitution 6 such that 

St ^* _i Sti.„i, then there exist an initial state St'i„i and substitutions 

BM-P ,E-p *™ 

(T,p such that St^* St[^^, 9 =Et, ° P, and p{St'^^^) C^^ St,m- 

Proof. Since t is a super-lazy term, Sti^i contains a sequence of intruder 

strands of S-p generating t. Let 9t = 0|var(t)5 there exists a substitution 9' 

s.t. 6 —E-p 9t o 9' . Since i is a void super-lazy term, there is a state S'i'/„j such 

that 9' {St) — 7^! 1 St'l^^. Then, by narrowing completeness, i.e., Theoremlll 

Rv -Ep I I 

there are an initial state St',„, and substitutions a.p such that St ^* 1 

St[m^ ^' =Ep crop, and p[St[^^) Cep St'{„^. Finally, St'{^^ C^^ St„ii, since 
Stini simply has the strands generating t that St^^i does not contain. □ 



4-7.2. Interaction with Transition Subsumption. 

When a ghost state is reactivated, we see from the above definition that such 
a reactivated state will be P-subsumed by the original state that raised the ghost 
expression. Therefore, the transition subsumption relation ► of Section |4.6| 
has to be slightly modified to avoid checking a resuscitated state against its 
predecessor ghost state. Now, let us formally state this problem. 

Definition 13 (Resuscitated Child). Given a topmost rewrite theory TZ-p = 
(S-p, E-p, R-p) representing protocol V and two non-initial states St and St' .such 
that St contains an intruder fact t€T and t is a super-lazy term, we say St' is 
a resuscitated child of St, written St St' , if: 
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1. given the ghost version St of St w.r.t. the super-lazy term t, then there 
exist states Sti, . . . , St^, substitutions ti, . . . , Tk, and i G {1, . . . , fc} such 
that 

'^^^r,.T€p-\E^ ^^^■■■^^--^^r^,Wp-\E^ "^^^ ' ' ' "^^fe-l ^r. ^^^^ 

Tj{t) is a super-lazy term for 1 < j < i ^ I, and Ti(t) is not a super-lazy 
term, and 

2. given the reactivated version St of St w.r.t. Sti and t ~ ti o ■ ■ ■ o and 
Tt = T\var{t), there exist substitutions t{, . . . ,t(. such that tj — Tt o t'^ for 
^ l£ j l£ k, states St[, . . . , St'f,, and a narrowing sequence 

/ -7^-1 St\ ■ ■ ■ St'u_-] ^ , -^--i o St'k 

r[,R-p ,E-p ^ ^ rl,,B.v ,E-p 

3. then there is j G {1, . . . , fc} such that St' ^e-p St'y 

Proposition 4. Given a topmost rewrite theory TZ-p = (S-p, E-p, R-p) represent- 
ing protocol V and two non-initial states St and St' such that St contains an 
intruder fact t€l and t is a super-lazy term, if St r\ St' , then St ► St' and 
reachability completeness is lost. 

Proof. Since St is similar to St but tGZ lias been replaced by ghost(t), and St 
contains all the strands and positive intruder facts of St but instantiated with 
T\var(t), then for the sequences 



and 



/ -^--1 St'-, ■ ■ ■ St'k_-] , -^-1 ^ St'l. 



we have that Stj ► St'^ for j G {1, . . . since St'^ contains all the strands 
and positive intruder facts of Stj but instantiated with T|var(t)- Reachability 
completeness is lost because if there is an initial state Stini and substitution 
r' such that St ^* _i St' _i StiYiii then, sirLC6 5*^ is rcplHCGd. 

St during the backwards reachability analysis and later St is replaced by 
St, when Maude-NPA finds that Stj ► St'j , it removes St'j from the backwards 
reachability analysis, (possibly) leaving no successor of St leading to Sti„i. □ 

The simplest way of ensuring whether or not Sti r\ St2 is to examine the 
relative positions of Sti and St2 in the search tree as well as the narrowing steps 
between them in the form established by Definition |13[ However, for reasons 
of efficiency, we want to keep examinations of the search tree to a minimum, 
and restrict ourselves as much as possible to looking at information in the state 
itself. Thus, we make use of information that is already in the state, the message 
sequence first mentioned in Section 3.1. We find, that after making minor 
modifications to this message sequence to take account of resuscitated ghosts, a 
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simple syntactic check on the sequence can provide a relation that approximates 
r\. 

In order to formally identify when a resuscitated state must not be erro- 
neously discarded by we extend protocol states to have the actual message 
exchange sequence between principal or intruder strands and add a new expres- 
sion resuscitated{m) to indicate when a state has been resuscitated. The actual 
set of rewrite rules extended to compute the exchange sequence is as follows, 
where X is a variable denoting an exchange sequence: 

[L I ,L'] & SS & (Mel, IK) & (M^ ,X) -j- [L, Af " | L'] & SS & (Mel, IK) & X 
[L I M+,L'] h SS IK & (M^ ,X) -> [L,M^ \ L'] k. SS &i IK &z X 

[L I M+,L'] & SS & (M(fI,IK) & (M+,X) -> [L, M+ | L'] & SS & (Mel, IK) & X 

for each [ h, u+, h ] e S-p : [ h | tt+, (2 ] &SS & (u(fI,IK) & (u+,X) SSh(ueI, IK) & X 

Completeness reachability is obviously preserved for this set of rules and for 
the obvious extensions to R-p and R-p. For instance, the resuscitated state of 
Example [9] will be written as follows, where the resuscitated message is the first 
item in the exchange sequence: 



\ nil \ exp{X,n[a,r)) , e{exp{X,n{a,r), sec{a,r"))) , sec{a,r")^ ] &i 
■.■.r,r" :: 

[ {a; B' ; exp{g,n{a,r)))^ , (B' ; a; X)" , {e{exp{X,n{a,r)), sec{a,r")))'^ \ nil ] & 
::r' :: [ {A; B;Y)- , {B; A; exp(g,n(B,r')))+ j (e(ea;p(y, n(B, r')), sec(a, r")))" ] & 
{e{exp{Y, n(B, r')), sec(a, r"))£l, exp(X, n{a, r))£l, 
e{exp{X,n{a,r)), sec{a,r")))£X, sec{a,r")^I) & 

{resuscitated{exp{X , n{a,r))), exp{X, n{a,r)))~ , e{exp{X, n(a,r)), sec(a, r")))~ , 
{sec(a,r")) + , {exp{Y,n{b,r'))y , {sec{a,r"))- , {e{exp{Y,n{b,r')), sec{a,r"))) + , 
{e{exp(Y, n{b, r')), sec(a, r")))') 



In [B], we provided a very simple rule for approximating Definition 13 



Definition 14. Given a topmost rewrite theory TZ-p = [Yip,Ep,Rp) represent- 
ing protocol V and two non-initial states Sti, St2, we write Sti --^ St2 if either 
Sti does not contain an expression ghost(TO) for a message term m or Sti does 
contain an expression ghost (m) for a message term m but St2 does not contain 
the expression resuscitated{m) . 



The following result establishes that --^ is an approximation of r\. The 
proof is straightforward. 

Lemma 6. Given a topmost rewrite theory TZp = (T,p,Ep,Rp) representing 
protocolV and two non-initial states Sti,St2, if Sti r\ St2, then Sti St2. 



Now, we can provide a better transition subsumption relation. 
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Definition 15 (P-subsumption relation II). Given a topmost rewrite the- 
ory TZ-p — ("E-p , E-p , R-p) representing protocol V and two non-initial states 
Sti, St2, we write Sti ►// St2 and say that St2 is T'-subsumed by Sti if there 
is a substitution s.t. 9{Sti) t> S'<2 and 6{Sti) -/-^ Sti- 

Reachability completeness is straightforward from Lemma [6] and Proposition [4] 
since St\ /-^ Sti implies St\ (f\ Sti- 

Though this method solves the problem, it disables almost completely the 
transition subsumption for those states after a resuscitation, since is a bad 
approximation of r\. Here, we provide a more concise definition of the interac- 
tion between the transition subsumption and the super-lazy intruder reduction 
techniques. 

We characterize those states after a resuscitation that are truly linked to 
the parent state. First, we identify those states that are directly resuscitated 
versions of a former state. Intuitively, by comparing the exchange sequences 
of the two states, we can see whether the exchange sequence of the former is 
{LijLi, L3) and it has a ghost expression ghost(Mi), whereas the exchange 
sequence of the resuscitated version is (ii, resuscitated{AIi), L2, , L3). 

Definition 16. Given a topmost rewrite theory TZ-p = [Ti-p , Ep , R-p) represent- 
ing protocol V and two non-initial states Sti, Sti, we say that Sti is a direct 
resuscitated version of Sti, written Si Sti, if there are messages Mi and Mi 
and a substitution p such that 

1. state Sti has a ghost of the form ghost{Mi), 

2. the exchange sequence of state Sti is of the form 

{Li,Li,M^,L3) 

3. the exchange sequence of state Sti is of the form 

{L'l, resuscitated{Mi ),L'i, M2 ,L'^), 

4. and p{Li,Li,M^,L3) ^Ej, (L[, L'l, M^ , L'^). 
Relation is closer to r\. 

Lemma 7. Given a topmost rewrite theory TZ-p — {T.-p , E-p , R-p) representing 
protocol T' and two non-initial states Sti, Sti, if Sti Sti, then Sti r\- Sti. 

However, Sti r\ Sti does not imply Sti Sti and we have to go even 
further. Relation Sti -» Sti takes into account only whether 5*^2 is a re- 
suscitated version of Sti, but does not consider what happens beyond the 
state that produced the instantiation that reactivated the ghost state. In- 
tuitively, now we compare the exchange sequences of the two states to see 
whether the exchange sequence of the first is {Li,Li,L'i,,M^ ,L4) and it has 
a ghost expression ghost (Mi), whereas the exchange sequence of the second is 
{Li,M^ ,Li,resuscitated{Mi),L3,M^ ,£4). Indeed, a recursive definition can 
be given here that becomes extremely useful when several resuscitations have 
happened in a concrete state. 
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Definition 17. Given a topmost rewrite theory TZ-p = [H-p , E-p , Rp) represent- 
ing protocol V and two non-initial states Sti, St2, we say that St2 is a resusci- 
tated version of Sti, written Si 5^2, if Si ~» St2 or there are messages Mi 
and M2, a substitution p, and sequences L'i^L'{ such that: 

1. state Sti has a ghost of the form ghost{Mi) , 

2. the exchange sequence of state Sti is of the form 

(Li, L2, £3, All ' ^4) 

3. the exchange sequence of state St2 is of the form 

{L[ , L'l , , L2 , resuscitated{M2 ) , £3 , , L4) 

4. p{L2,L3,M^,Li) {L'2,L'^,M^,L'^) 

5. L'l is the longest sequence such that each message in L'l has message 
p{Mi) as a subterm 

6. and either 

(a) p{Li) =Ej, L'^ or 

(b) St'i — St'2 where St'i is Sti without the ghost{Mi) expression and 
St'2 is St2 with the shorter exchange sequence {L'^, L'2, L'^, M2 , L'^). 

The following result establishes that is a better approximation of rv 
than — The proof is straightforward. 

Lemma 8. Given a topmost rewrite theory TZ-p = {Yi-p , E-p , R-p) representing 
protocol V and two non-initial states Sti, St2, if Sti r\ St2, then Sti ^+ St2. 

Now, we can provide a better transition subsumption relation. 

Definition 18 (T'-subsumption relation III). Given a topmost rewrite the- 
ory TZ-p — {Y,-p , E-p , Rp) representing protocol V and two non-initial states 
Sti, St2, we write Sti ►/// 5^2 and say that St2 is T'-subsumed by Sti if there 
is a substitution 9 s.t. 9{Sti) > St2 and Sti 7^*+ St2. 

Finally, reachability completeness is straightforward from Lemma [8] and 
Proposition |4j since Sti St2 implies Sti 'A ^^2- 

5. Experimental Evaluation 

In Table [T] we summarize the experimental evaluation of the impact of the 
different state space reduction techniques for various example protocols search- 
ing up to depth 4. We measure several numerical values for the techniques: (i) 
number of states at each backwards narrowing step, and (ii) whether the state 
space is finite or not. The experiments have been performed on a MacBook with 
2 Gb RAM using Maude 2.6. All protocol specifications are included in the of- 
ficial Maude-NPA distributiorj^ The protocols are the following: (i) NSPK, 



Available at http : //maude . cs .uiuc . edu/tools/Maude-NPA 
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Protocol 


none 


Grammars 


% 


NSPK 


5 


19 


136 


642 


4021 


4 


12 


49 


185 


758 


81 


NSL 


5 


19 


136 


642 


4019 


4 


12 


50 


190 


804 


79 


SecReTOe 


1 


6 


22 


119 


346 


1 


2 


6 


15 


36 


89 


SecReTO? 


6 


20 


140 


635 


4854 


6 


17 


111 


493 


3823 


21 


DH 


1 


14 


38 


151 


816 


1 


6 


14 


37 


105 


87 



Protocol 


none 


Input First 


% 


NSPK 


5 


19 


136 


642 


4021 


11 


123 


1669 


26432 


N/A 





NSL 


5 


19 


136 


642 


4019 


11 


123 


1666 


26291 


N/A 





SecReTOe 


1 


6 


22 


119 


346 


11 


133 


1977 


32098 


N/A 





SecReTO? 


6 


20 


140 


635 


4854 


11 


127 


3402 


N/A 


N/A 





DH 


1 


14 


38 


151 


816 


14 


135 


1991 


44157 


N/A 






Protocol 


none 


Inconsistency 


% 


NSPK 


5 


19 


136 


642 


4021 


5 


18 


95 


310 


650 


83 


NSL 


5 


19 


136 


642 


4019 


5 


18 


95 


310 


650 


83 


SecReTOe 


1 


6 


22 


119 


346 


1 


6 


22 


114 


326 


5 


SecReT07 


6 


20 


140 


635 


4854 


6 


18 


107 


439 


3335 


31 


DH 


1 


14 


38 


151 


816 


1 


12 


12 


56 


128 


84 



Protocol 


none 


Transition Subsumption 


% 


NSPK 


5 


19 


136 


642 


4021 


5 


15 


61 


107 


237 


94 


NSL 


5 


19 


136 


642 


4019 


5 


15 


61 


107 


237 


94 


SecReTOe 


1 


6 


22 


119 


346 


1 


6 


15 


39 


78 


77 


SecReTO/ 


6 


20 


140 


635 


4854 


6 


15 


61 


165 


506 


89 


DH 


1 


14 


38 


151 


816 


1 


14 


26 


102 


291 


64 



Protocol 


none 




Sup 


cr-lazy Intrud 


cr 


% 


NSPK 


5 


19 


136 


642 


4021 


5 


19 


136 


641 


3951 


1 


NSL 


5 


19 


136 


642 


4019 


5 


19 


136 


641 


3949 


2 


SecReTOe 


1 


6 


22 


119 


346 


1 


6 


22 


119 


340 


2 


SecReTO? 


6 


20 


140 


635 


4854 


6 


16 


44 


134 


424 


91 


DH 


1 


14 


38 


151 


816 


1 


14 


38 


138 


525 


35 



Protocol 


none 


All optimizations 


% 


NSPK 


5 


19 


136 


642 


4021 


4 


6 


4 


2 


1 


99 


NSL 


5 


19 


136 


642 


4019 


4 


7 


6 


2 





99 


SecReTOe 


1 


6 


22 


119 


346 


2 


3 


2 






99 


SecReTO? 


6 


20 


140 


635 


4854 


5 


1 


1 


1 




99 


DH 


1 


14 


38 


151 


816 


4 


6 


10 


9 


12 


99 



Table 1: Number of states for 1,2,3, and 4 backwards narrowing steps comparing each opti- 
mization of Sections [4. 1|4.4|4.5|4.6| and |4.7| 



the standard Needham-Schroeder protocol, (ii) NSL, the standard Needham- 
Schroeder protocol with Lowe's fix (which is secure and our tool can prove it), 
(iii) SecReT06, a protocol with an attack using type confusion and a bounded 
version of associativity that we presented in [5], (iv) SecReTOT, a short ver- 
sion of the Difhe-Hellman protocol that we presented in [3], and (v) DH, the 
Diffie-Hellman protocol of Example [T] Note that the label "-" means that the 
reachability analysis finished some levels before and the label "N/A" means that 
the execution was stopped after a reasonably large execution time. 

The overall percentage of state-space reduction for each protocol and an 
average (99%) suggest that our combined techniques are remarkably effective 
(the reduced number of states is on average only 1% or less of the original number 
of states). The state reduction achieved by consuming input messages first is 
difficult to analyze, since the reduction shown in Table [l] for this optimization 
(labelled as "Input First") is 0. The reason is that it can reduce the number of 
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Protocol 


Finite State Space Achieved by: 


NSPK 


Grammars and Subsumption 


NSL 


Grammars and Subsumption 


SecReTOe 


Subsumption or (Grammars and Lazy) 


SecReTO? 


Subsumption and Lazy 


DH 


Grammars and Subsumption 



Table 2: Finite state space achieved by reduction tecliniques 



states in protocols that contain several input messages in the strands, as in the 
NSPK protocol, but in general it simply reduces the length of the narrowing 
sequences and therefore more states can be generated at an earlier depth of the 
narrowing tree compared to the case where the optimization is not used. Table 
[2] summarizes the different techniques yielding a finite space for each protocol. 
The use of grammars and the transition subsumption are clearly the most useful 
techniques in general. Indeed, all examples have a finite search space thanks to 
the combined use of the different state space reduction techniques. Note that 
grammars are insufficient to obtain a finite space for the SecReTO? example, 
while subsumption and the super lazy intruder are essential in this case. 

6. Concluding Remarks 

The Maude-NPA can analyze the security of cryptographic protocols, mod- 
ulo given algebraic properties of the protocol's cryptographic functions in exe- 
cutions with an unbounded number of sessions and with no approximations or 
data abstractions. In this full generality, protocol security properties are well- 
known to be undecidable. The Maude-NPA uses backwards narrowing-based 
search from a symbolic description of a set of attack states by means of patterns 
to try to reach an initial state of the protocol. If an attack state is reachable 
from an initial state, the Maude-NPA's complete narrowing methods are guar- 
anteed to prove it. But if the protocol is secure, the backwards search may be 
infinite and never terminate. 

It is therefore very important, both for efficiency and to achieve full verifi- 
cation whenever possible when a protocol is secure, to use state-space reduction 
techniques that: (i) can drastically cut down the number of states to be ex- 
plored; and (ii) have in practice a good chance to make the, generally infinite, 
search space finite without compromising the completeness of the analysis; that 
is, so that if a protocol is indeed secure, failure to find an attack in such a fi- 
nite state space guarantees the protocol's security for that attack relative to the 
assumptions about the intruder actions and the algebraic properties. We have 
presented a number of state-space reduction techniques used in combination by 
the Maude-NPA for exactly these purposes. We have given precise character- 
izations of theses techniques and have shown that they preserve completeness, 
so that if no attack is found and the state space is finite, full verification of the 
given security property is achieved. 

Using several representative examples we have also given an experimental 
evaluation of these techniques. Our experiments support the conclusion that. 
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when used in combination, these techniques: (i) typicaUy provide drastic state 
space reductions; and (ii) they can often yield a finite state space, so that 
whether the desired security property holds or not can in fact be decided auto- 
matically, in spite of the general undecidability of such problems. 
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